We scanned the script using Fortify and errors with category: Header Manipulation: Cookies and they are pointing to this code inside remove method implementation:
document.cookie=a+"=;expires="+b.toGMTString();document.cookie=a+"=;expires="+b.toGMTString()+"; path=/";

Release : 9.1

Component : AuthMinder(Arcot WebFort)

Our recommendation is to apply the patch DE537482_hotfix (arcotjsclient_jso.js) to resolve this issue.